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Abstract. Elliptic curves have a well-known and explicit theory for the 
construction and application of endomorphisms, which can be applied to 
improve performance in scalar multiplication. Recent work has extended 
these techniques to hyperelliptic Jacobians, but one obstruction is the 
lack of explicit models of curves together with an efficiently computable 
endomorphism. In the case of hyperelliptic curves there are limited ex- 
amples, most methods focusing on special CM curves or curves defined 
over a small field. In this article we describe three infinite families of 
curves which admit an efficiently computable endomorphism, and give 
algorithms for their efficient application. 

Keywords. Hyperelliptic curve cryptography, efficiently computable en- 
domorphisms. 



1 Introduction 

The use of efficiently computable endomorphisms for speeding up point multipli- 
cation on elliptic curves is well-established for elliptic curves and more recently 
has been used for hyperelliptic curves. Koblitz ^U] proposed r-adic expansions 
of the Frobenius endomorphism on curves over a small finite fields. Gallant, 
Lambert, and Vanstone [oj later proposed using an expression 

[k]P = [k ]P + [h](b(P) 

on more general curves to evaluate multiplication by k on a point P, using an 
efficiently computable endomorphism <fi. Various improvements and combina- 
tions of these methods have been proposed for both elliptic and hyperelliptic 

curves unniii. 

One feature of elliptic curves, not available for multiplicative groups of finite 
fields, is the freedom to choose a parameter: geometrically they form a one- 
dimensional family, parametrized by the j-invariant. Restriction to curves of a 
special form destroys this degree of freedom. While no proof exists that special 
curves, CM curves or Koblitz curves are less insecure, these nonrandom curves 
can be qualitatively distinguished from their nonrandom cousins in terms of their 
endomorphism rings. Thus preference is often given to curves randomly selected 
over a large finite field when performance is not the determining issue. 



In contrast, hyperelliptic curves of genus g admit a much larger degree of 
freedom. In genus 2, they form a three dimensional family: curves with different 
classifying triple of invariants (ji , ji , j'3) can not be isomorphic over any extension 
field. Until the recent work of Takashima |19|. the only curves proposed for 
cryptographic use with efficiently computable endomorphisms are either the CM 
curves with exceptional automorphisms — the analogues of elliptic curves y 2 = 
x 3 + a or y 2 = x 3 + ax — or Koblitz curves — curves defined over a small 
field with point on the Jacobian taken over a large prime degree extension (see 
Park et al. JS] for the former and Lange JT] for the latter) . Besides the notable 
exceptions of CM curves with exceptional automorphisms, curves with CM have 
been exploited for point counting but not for their endomorphism ring structure, 
for lack of a constructive theory of efficiently computable endomorphisms. 

In this work, we address the problem of effective algorithms for endomor- 
phisms available on special families of curves. We describe three families, of 
dimensions 1,1, and 2 respectively, of curves whose Jacobians admit certain real 
endomorphisms. First, we introduce the general framework for constructing en- 
domorphisms via correspondences derived from covering curves. Subsequently, 
we provide a one-dimensional family derived from Artin-Schreier covers, then de- 
scribe a construction of Tautz, Top, and Verberkmoes | 2(J| for a one-dimensional 
family of curves with explicit endomorphisms deriving from cyclotomic covers. 
Finally, we describe an elegant construction of Mestre j!4j from which we obtain 
a two-dimensional family of curves whose Jacobians admit explicit endomor- 
phisms, derived from covers of elliptic curves. In each case we develop explicit 
algorithms for efficient application of the endomorphism, suitable for use in a 
GLV decomposition. Independently, Takashima [19| provided an efficient algo- 
rithm for endomorphisms in the latter family (in terms of variants of Brumer 
and Hashimoto) with real multiplication by (1 + y/5)/2. These families provide 
a means of generating curves randomly selected within a large family, yet which 
admit efficiently computable endomorphisms. 

2 Arithmetic on Hyperelliptic Jacobians 

In the sequel we denote by X/k a hyperelliptic curve of genus gx in the form 

v 2 = f(u) = u 2 ^ +1 + c 2gx u 29x + ■ ■ ■ + c , 

with each Cj in fc, which we require to be a field of characteristic not 2. The 
Jacobian of X, denoted Jac(X), is a <?x-dimensional variety whose points form 
an abelian group. Let O denote the point at infinity of X. Each point P on 
Jac(X) may be represented by a divisor on X, that is, as a formal sum of points 

m m 
»=1 i=l 

where m < gx- We say such a divisor is semi-reduced if (it,, Wj) 7^ [uj, —Vj) for all 
i 7^ j. For a point to be defined in Jac(X)(k), its divisor must be Galois-stable; 



the representation as a divisor has the disadvantage that the individual points 
(ui,Vi) may be defined only over some finite extension K/k. Thus, for compu- 
tations, we use instead the Mumford representation for divisors, identifying P 
with the ideal class 

P= [(o(u), «-&(«))], 

where a and b are polynomials in k[u] such that a(u) = Yli( u ~ u i) an d v i = b(ui) 
for all i. In this guise, addition of points P and Q is an ideal product, followed by 
a reduction algorithm to produce a unique "reduced" ideal representing P + Q. 
Cantor 1 provides algorithms to carry out these operations. 

Algorithm 1. Given a semi-reduced representative (a(u), v — b(u)) for a point 
P on the Jacobian of a hyperelliptic curve X : v 2 = f(u), returns the reduced 
representative of P. 

function CANTORREDUCTiON((a(u), v — b{u))) 
while deg(a) > gx do 
a := {f - b 2 )/a; 
b := — b mod a; 
end while; 

a := a/LEADINGCOEFFICIENT(a); 

return (a, v — b(u)); 
end function; 

Each iteration of Algorithm ^ replaces a with a polynomial of degree max(2gx + 
1 — deg(a), deg(a) — 2). It follows that Algorithm ^ will produce a reduced repre- 
sentative for the ideal class [(a(u),v — b(u))] after [(deg(a) — gx)/2] iterations. 

3 Explicit Endomorphisms 

Let C be a curve with an automorphism and let 7r : C — > X be a covering of 
X. We have two coverings, tt and it o f, from C to X; together, they induce a 
map r\ of divisors 

T] := (tt o C)»tt* : Div(A) -» Div(X), 

where 

t*(FD= E e -W)[Q] and (f°C).([QD = MC(Q))]. 

This map on divisors induces an endomorphism of the Jacobian Jac(X), which 
we also denote 77. 

In our constructions, we take tt to be the quotient by an involution a of C, 
so that 7r is a degree-2 covering, and 7r = tt o <t. Thus 

7r*0P]) = [Q] + KQ)] 

for any point Q in 7r _1 (P). We will take C to be an automorphism of C of prime 
order p, such that (£, a) is a dihedral subgroup of the automorphism group 
of C: that is, aC, = C~ 1(J - The following proposition describes the resulting 
endomorphism 77 = (-7T o £)„ o 7r*. 



Proposition 2. Let C be a curve with an involution a and an automorphism £ 
of prime order p such that aC, = £~ 1(J - Let tt : C — > X := C / (a) be the quotient 
of C by the action of a, and let r\ := (no £)„ °7r* &e £/ie endomorphism of 3&c(X) 
induced by (. The subring ZZ[rj\ of End(Jac(X)) is isomorphic to ZZ\C^ V + Cp 1 }, 
where ( p is a primitive p th root of unity over Q. 

Proof. The subring -Z?[C* +CT 1 ] of Jac(C) is isomorphic to ZZ\C,p + C,~ l \, since p is 
prime. The statement follows upon noting that the following diagram commutes. 

C + C 1 
j ac (C) — - — > Jac(C) 

Jac(X) '' - "* s *" ) Jac(X) 
To see this, observe that for any Q in Jac(C) we have 
r){n*{Q)) = 7r»C»7r*7r»(Q) 

= 7T»C*(1 + 0*)(Q) 

= 7r*(C* + <r*C 1 )(<2) 
= 7r Jt (C* + C 1 )(<9) ) 

since 7r*7r» = (1 + o - *) and Tr^er, = 7r*. See also Ellenberg 0] §2]. □ 

Suppose C, X, 7T, C and t? are as in Proposition^] Our aim is to give an explicit 
realization of the endomorphism 7/ of Jac(X), in the form of a map on ideal 
classes. To do this, we form the algebraic correspondence 

Z := (tt x (no Q)(C) C X x X. 

Let 7Ti and 7T2 be the restrictions to Z of the projections from X y. X to its first 
and second factors, respectively; then rj = (n 2 )* on\ . We will give an affine model 
for Z as the variety cut out by an ideal in k[u\, v%, u%, «2]/(vf — f(ui), «f — /(/U2)); 
for this model, the maps n\ and n 2 are defined by Ki(u\,v\,u<i,v<i) — (ui,Vi). 

Suppose that Z is defined by an ideal (v2—vi,E(ui,u 2 )), where E is quadratic 
in u\ and u 2 (this will be the case in each of our constructions). If (u,v) is a 
generic point on X, then 7r* ([(«, u)]) is the effective divisor on Z cut out by 
(1)2— v, E(u, U2)). Therefore, if ei and e2 are the solutions in k(u) to the quadratic 
equation E(u, x) = in cc, then 

rj([(u,«)]) = fa)„<([(u,«)]) = [(e 1( i;)] + [(e a ,t;)]. 

It remains to translate this description of the action of 77 in terms of points into 
a map on ideal classes. 

Suppose [(a(u), v — b(u))] is a point on Jac(X). Extending the above, we have 

!)([(«(<•).« - i(»))D = K«(ei),» - + [(«W,«- <>(«))] 

- [W .),.- wy» 1MdWWl , 



/■ * 



where N(a) = a{e 1 )a(e 2 ), N(b) = b(e 1 )b(e 2 ), and T(b) = 6(e x ) + 6(e 2 ). 1 Since 
functions T(a), N(b) and T(b) are symmetric polynomials in e\ and e 2 , we can 
write each as a polynomial in the elementary symmetric functions e\ + e 2 and 
e\e 2 . Moreover, e\ + e 2 and eie2 are elements of k(u): if E(u,x) — E 2 (u)x 2 + 
Ei(u)x + Eq(u), then ei + e2 = —E\JE 2 and eie2 = Eq/E 2 . 

Definition 3. For any polynomial a(x) over k, we define T(a) — a(ei) + a(e 2 ) 
and N(a) — a{e\)a{e 2 ), and for i,j>0 we define 

tj := e\ + e 2 , ni :— (e\e 2 ) % and ni.j := e\e\ + e\e 2 . 

Note that U and elements of k(u) and that 

(gx \ gx 

and 

(gx \ sx sx 
X! XX!"'"."-.-- ( 2 ) 
i=0 / i=0 i=0 

The following elementary lemma provides simple recurrences for the construction 
of the sequences {ti} and {riij}. 

Lemma 4. The elements ti, ni and n^j satisfy the following recurrences: 

1. Ui + \ = (eie 2 )ni for i>0, with no := I; 

2. t t+ i = (ei + e 2 )t t - (eie 2 )ti-i for i > 1, with t — 2 and ti = (ex + e 2 ); 

3. ni t i — ni and riij = nitj-i for i > and j > i. 

Equations Q and above express T and N in terms of the functions ti and 
riij, which depend only upon t\ and ni by LemmaQJ Thus, given t\ = ei+e2 and 
ni = ni l = eie2, the recurrences of Lemma0]give a simple and fast algorithm 
for computing the maps T and N . If we further assume that T and N will only 
be evaluated at polynomials a and 6 from reduced ideal class representatives 
(a(it), v — b(u)), then we need only compute the ti and ni_j for < i < j < gx- 

Algorithm 5. Given functions ii and n-i in together with the genus gx 

of a curve X, returns the maps T and -/V of Definition [3J 

function RATiONALMAPs(ti,ni,flfx) 
n := 1; 
t := 2; 

for i in [1, . ..,g x ] do 

ni+i := nirii; 

ti+i := i — niU-i; 

1 The modular inversion of T(b) should be carried out after clearing denominators and 
removing common factors from N(a), T(b), and f(u) + N(b) (generically, N(a) and 
T(b) are coprime). Proposition HJ below makes this precise. 



end for; 

for i in [1, ...,gx] do 

for j in [i + 1,. . . do 

Tijj" . Jilt j — l . 

end for; 
end for; 

r:= (Efio^^Efio^i); 

return T, iV; 
end function; 

The following proposition shows that the maps T and N may be used to compute 
r)([(a(u), v — b(u))]) for all points [(a(u), v — b(u))] of Jac(A). 

Proposition 6. Let 77 6e t/ie endomorphism of J ac(A) induced by a correspon- 
dence V{v 2 — vi, E 2 (u\)u 2 + Ei(u\)u 2 + Eo(u±)) onXxX; setti = — E1/E2 
and n\ = E0/E2, and let T and N be the maps of Definition^ If (a(u), v — b(u)) 
is the reduced representative of a point P of Jac(X), then T]{P) is represented by 

fE 9x N(a) f{f + N{b))/G ,E 9x N(a) 



( E 9x N(a) _ f (f + N(b)) 
\ G ' V V T(b)/G 



mod 



G 



where G — gcd(E 2 x N(a), E 2 x T(b)). Algorithm^] computes the reduced repre- 
sentative of rj(P) after at most \gx/2~\ iterations of its main loop. 



Proof. We have 



r]([(a(u),v - b(u))]) = [(a(ei), v - &(ei))(a(e 2 ), v - b(e 2 ))} 
= [{N{a),v 2 -T{b)v + N(b))} 

[(El*)(N(a),T(b)v-(f + N(b)))} 
= [(E 9x N{a), E 9x T(b)v - E 9 2 x (/ + N(b)))\. 



It is easily verified that E 9x N(a), E 9 2 x T{b) and E 9x (f + N(b)) are polynomials, 
and that if G = gcd(E 9x N(a),E 9x T(b)), then G also divides E 9x (/ + N(b)). 
Therefore 

V ([(a(u), v - b(u))}) = [(G)(i5f* JV(a)/G, £f x T(6)t;/G - £f x (/ + N(b))/G))] 
= [(E 9x N(a)/G, E 9x T(b)v/G - E 9X (/ + AT(6))/G)] 
= {(E 9X N(a)/G, v-I- E 9X (f + N(b))/G)}, 

where I denotes the inverse of E 9x (/ + N(b))/G modulo E 9x N(a)/G, proving 
the first claim. Now, if (a(u), v — b(u)) is the reduced representative of P, then 
deg(a) < gx, so the degree of E 2 X N(a) is at most 2gx- After each iteration of 
Algorithm^ the degree of a becomes m&x(2gx + 1 — deg(a), deg(a) — 2), and the 
algorithm terminates when deg(a) < gx', this occurs after iterations. □ 

The following algorithm applies Proposition|Hlto compute the image of a point of 
Jac(A) under 77. This gives an explicit realization of 77 as a map on ideal classes. 



Algorithm 7. Given a point P on the Jacobian of a curve X : v 2 = f(u) 
and rational maps T and N derived for an endomorphism r\ of Jac(X) using 
Algorithm returns the reduced ideal class representative of rj(P). 
function Evaluate(P = (a(u), v - b(u)), T, N) 

a' := N(a); 

d:=T(b); 

E : = LCM(DENOMINATOR(a'), DENOMINATOR(d)); 
G := GCD(NUMERATOR(a'), NuMERATOR(d)); 
a' :=E- a'/G; 
d:=E-d/G; 
I-^dr 1 (mod a'); 
&':=!•£•(/ + N(b))/G (mod a'); 
return CANTORR,EDUCTlON((a', v — 6')); 
end function; 

Remark 8. In the families of curves described below in Sections 0] and |S] below, 
T and N are polynomial maps, and we may take E = 1 in Algorithm [7| 

4 Applications I: Curves with Artin— Schreier Covering 

In this section we construct a family of curves X p in one free parameter t for 
each prime p > 5, and determine explicit endomorphisms deriving from a cover 
by the Artin-Schreier curve defined over W p by 

C P ■ y p - y = x + -■ 

x 

The eigenvalues of Frobenius in this family are described by classical Klooster- 
man sums |21| . 

An analogous family y 2 = x p — x + 1 was described by Duursmaa and Saku- 
rai 3 , for which the automorphism x i— > x + 1 was proposed for efficient scalar 
multiplication. In constrast to our family, every member of this family is isomor- 
phic over a base extension to the supersingular curve y 2 = x p — x. 

4.1 Construction of the Artin Schreier Covering 

The curve C p has automorphisms £ (of order p) and a (of order 2), defined by 

C(x,y) = (x,y + 1) and a(x, y) = (-t/x, -y). 

Let X p be the quotient of C p by (a) , with affine model 

X p : v 2 = f(u) = u{u {p - 1]/2 - I) 2 - it. 

The quotient map ir : C p — > X p is a covering of degree 2, sending (x, y) to 
(u, v) = (y 2 ,x — t/x). Observe that X p is a family of curves of genus (p — l)/2. 



The automorphism £ of C p induces an endomorphism ?y := (i o (),tt* on 
Jac(Xp), whose minimal polynomial equals that of r\ v — £ p + Cp 1 G C The 
endomorphism rj is induced by the correspondence Z := (tt o ( x 7r)(C p ) on 
X p x A p , for which we may directly compute an affine model 

Z = V(v 2 — Vi, u 2 + % — 2uiU2 — 2u2 — 2ui + 1). 

Setting t\ := 2(w + 1) and n\ := (u — l) 2 and applying Algorithm^] we obtain 
polynomial maps T and N such that r\ is realized by P 1— > Evaluate(P, T, iV), 
using Algorithm The first few and n^j derived in Algorithm [3] are given in 
Table □ below. 

Proposition 9. The Jacobian Jac(C p ) is isogenous to Jac(A p ) 2 , and its endo- 
morphism ring contains an order in TM.2(Q,(r) p )). 

Proof. The automorphisms £ and a determine a homomorphic image of the 
group algebra A = Q[(C, c)] in End°(Jac(C p )). But A is a semisimple algebra of 
dimension 2p over Q, whose simple quotients are of dimensions 1, 1, and 2(p(p). 
Moreover, £ + C" 1 is in the centre of A and generates a subring isomorphic to 
Q x Q(^p)- Since C and cr do not commute, it follows that the latter algebra is 
isomorphic to SsA 2 (^(r] p )). 

Let e\ and e 2 be the central idempotents associated to the quotients of di- 
mensions 1. On each associated abelian variety eiJac(C p ), the automorphism £ 
acts trivially, thus maps through the Jacobian of the genus quotient C P /(Q; 
it follows that the image of A in End°(Jac(C p )) is isomorphic to TM 2 (Q(n p )). 

Let ei = 1 + a and £2 = 1 — 0". Noting that 

e 2 = 2e l5 eie 2 = 0, and e 1 + e 2 = 2, 

we let A\ = ei* Jac(C p ) and A 2 = e2*Jac(C p ) be subabelian varieties of Jac(C p ) 
such that Jac(Cp) = A\ + A 2 , and Ai D ^2 is finite. Since C — determines an 
isogeny ip = £* — C^ 1 of Jac(C p ) to itself, the relation 

(C-C^i^C-C 1 ), 

implies that ip(Ai) = e2*^(Jac(C p )) = A 2 , so that A\ and A 2 are isogenous. 
But 7r* is an isogeny of A\ to Jac(A p ), whence Jac(C p ) ~ Jac(X p ) 2 . □ 

Corollary 10. The Jacobian Jac(A p ) has a rational p-torsion point. In partic- 
ular, Jac(A p ) is not a supersingular abelian variety. 

Proof. The curve C p has two rational points fixed by £, whose difference deter- 
mines a point in ker(l — (*)■ But 

(i-C)(i-C 2 )---(i-C p - 1 )=P, 

so ker(l — £*) is contained in Jac(A p )[p]. If x(T) and £(T) are the characteristic 
polynomials of Frobenius on Jac(C p ) and Jac(A p ), respectively, then xCO — 
OT) 2 . Since |Jac(C p )(fc)| = is divisible by p, so is |Jac(A p )(fc)| = $(1). □ 

Remark 11. In fact, it is possible to show that the p-rank of Jac(A p ) is exactly 
equal to 1, so the Jacobians are neither ordinary nor supersingular. 



Table 1. Artin-Schreier covers: ti and riij for < i < j < 3 



2(y + 15u 2 + 15u + 1) 
(--If 

2(w- l) 2 (it + 1) 

2(w -l) 2 (it 2 + 6tt + l) 

("-1) 4 

2(m- l) 4 (it + 1) 
(u - If 



"0,0 

«o,i 
no,2 



2 

2(u + l) 

2(it 2 +6u + 1) 

2(n 3 + 15m 2 + 15m + 1) 



1 

2(m + 1) 
2(it 2 + I 



iM+1) 



"0,3 
"i,i 
ni t 2 
«i,3 
ri2,2 

"2,3 
"3,3 



4.2 Hyperelliptic Curves of Genus 2 with Real Multiplication by 775 

For p = 5, the construction above yields a one-parameter family of genus 2 
hyperelliptic curves defined by 

X 5 : v 2 = f 5 (u) = u(u 2 - l) 2 + 1, 

whose Jacobian has endomorphism ring containing ZZ\r\§\ = ZZ[x]/(x 2 + x — 1). 

Each point P of Jac(As) may be represented by an ideal (a(u),v — b(u)) with 
a and b of degrees 2 and 1 respectively: hence, suppose a(u) = a 2 u 2 + a\u + ciq 
and = 61 w + b$. Applying Algorithm El we see that 

N(a) = a\n 2 ^ + a 2 a 1 n li i + a\n\^\ + a 2 a n ,2 + aia n ^ + afoofi, 
N(b) — 6f^i,i + &i^o«o,i + ^"0,0, and 
T(b) = 2b 1 (u + l) + 2b , 

with the m t j as in Tabled The endomorphism 77 is then explicitly realized by 
Tj : P 1 y Evaluate (P, T, N), using Algorithm 

Remark 12. The Igusa invariants of the curve X$ determine the weighted pro- 
jective point (J2 : J4 : J% : J% : J10) = (3:2:0:4: 4i 2 ). In particular, the 
curves determine a one-dimensional subvariety of the moduli space of genus 2 
curves. 

4.3 Hyperelliptic Curves of Genus 3 with Real Multiplication by T77 

For p = 7, we derive a family of genus 3 hyperelliptic curves 

X 7 : v 2 = u{u 3 - l) 2 + M, 

and an endomorphism ?; of Jac(Ay) with 2Z[rj\ = ZZ[(j + C^ 1 } by Proposition 
Applying Algorithm we derive polynomial maps T and N , which we use with 
Algorithm H to realize r\ as r\ : P i-> Evaluate(P, T, A). 

5 Applications II: Curves with Cyclotomic Covering 

In this section we develop explicit endomorphisms for the one dimensional fami- 
lies of hyperelliptic curves with real multiplication based on cyclotomic coverings, 
as defined in Tautz, Top, and Verberkmoes [201 ■ 



5.1 Construction of the Cyclotomic Covering 

Let n > 2, and let p n and pi n be primitive n th and 2n th roots of unity over k 
such that p 2 n = p n \ also set r n = /?„ + p,^ 1 . Consider the family of hyperelliptic 
curves of genus n over k in one free parameter t defined by 

C n : y 2 = x(x 2n +tx n + 1). 

The curve C n has an automorphism Q of order 2n and an involution <r, defined 

by 

(:(x,y)\ — >(p n x,p2ny) and a : (x,y) i — > faT 1 , x~ (n+1) y^ , 

respectively; note that £™ is the hyperelliptic involution [x,y] i— > (x,—y). We 
define X„ := C„/ (<r) to be the quotient of C„ by the action of a. The curve X n 
has an an affine model 

X n :v 2 =f n (u) = D n (u,l)+t, 

where D n (u, 1) is the n th Dickson polynomial of the first kind with parameter 2 1, 
defined recursively by 

D n (u, 1) = uD n ^(u, 1) - D n _ 2 {u, 1) (3) 

for n > 2, with Dq(u, 1) = 2 and D\(u, 1) = it. Dickson polynomials and their 
properties are described in |12) ; for our purposes, it is enough to know that 

Dniu + u- 1 ,!) =u n + u- n (4) 

(this is easily verified by induction), which further implies 

D tim (u,l) = D n (I> m («,l),l). (5) 

Remark 13. When n is odd, our curves C n and X n coincide with the curves T> n 
and C n of |2U) ; for even n, our families instead coincide with the curves described 
in the remark of |201 page 1058]. 

The quotient projection tt : C n — > X n is a covering of degree 2. Equation 
above shows that it is defined by 

tt : (x,y) i — ► (u,v) = (x + x _1 ,a; _( " +1/2) y). 

The automorphism £ of C n induces an endomorphism r\ = (tto^)^ott* of Jac(X„). 
If n is prime, then Proposition [2] implies that 2Z\rf\ = Z5[Cn + Cn 1 ]j where ^„ is 
an n th root of unity over Q. 

2 Dickson polynomials are generally defined with a parameter a in fc, by the recurrence 

D n (u, a) — uD n ~\(u, a) ~ aD n -2{u, a). 

It is easily shown that the curve defined by v 2 = D n (u, a) + 1 for any nonzero a is a 
twist of X„. When a = 0, we obtain a one-dimensional family of curves with complex 
multiplication by these curves are described in j!61 §6.4]. 



The endomorphism rj is induced by the correspondence Z := (tt o £ x 7r)(C n ) 
on X„ x X n , for which we directly compute an affine model 

Z = V(v 2 - Vi, u\ + u\ - T n U\U 2 +t% — 4). 

Setting ti :— r n u and n\ := u 2 + t 2 — 4, we apply Algorithm [S] to obtain maps 
T : k[u] —> k[u] and N : k[u] — > fc[u] such that the endomorphism rj is realized by 
P i ► Evaluate(F, T, TV), using Algorithm The first few U and mj derived 
in Algorithm [S] are given in Tabled below. 



Table 2. Cyclotomic covers: U and rii j for Q < i < j < 3 
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no, 3 


tl 
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Tn{Tn - 3)u 3 


2(r 2 - 4) 

- 3t„(t 2 — 4)it 


m,i 
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2(r n 2 - 4) 


n-2,3 
n-3,3 



^((^-3)^-3(^-4))^ 

it 2 + r 2 - 4 

^(■u 2 +r 2 -4)w 

(r 2 - 2) M 4 + (r 2 - 4) 2 (u 2 - 2) 
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The elliptic curve C\ : y 2 — x(x 2 + tx + 1) is obviously covered by C ra , and 
is therefore a factor of Jac(C n ). The following analogue of Theorem [5] holds for 
this cyclotomic family, and is proved similarly. 

Proposition 14. The Jacobian Jac(C„) is isogenous to C\ x Jac(X„) 2 for n 
prime, and its endomorphism ring contains an order in Q x IVl2(Q(?7n)). 

Remark 15. If n is a prime other than 5, then |2l)l Corollary 6] implies that 
Jac(A„) is absolutely simple for general values of t over a field of characteristic 
0. For n = 5, we find that the condition of Stoll [TS] (see §14.4]) for Jac(X 5 ) 
to be absolutely simple is satisfied by X$ with t = 1 &t p = 11. Conversely, if 
n = pm, for p > 2 and m > 1, then identity © above gives a covering X n — > A p 
of degree m, defined by (ti, u) i— > (D m (u, 1), u). It follows that Jac(A„) has a 
factor isogenous to J&c(X p ), and so is not simple. 

5.2 Hyperelliptic Curves of Genus 2 with Real Multiplication by T75 

Consider the case n = 5. Equation © shows that D 5 (u, 1) = u 5 — 5u 3 + 5u, so 
the curve A 5 = C5/ '(c) is the curve of genus 2 defined by the affine model 

X 5 : v 2 = f 5 (u) = u 5 - 5u 3 + 5u + t. 

Each point on J&c(X 5 ) has a representative in the form (a(u), v — b(u)), with 
deg a = 2 and deg b = 1; so suppose a(u) — a 2 u 2 + aili + a and 6(it) = b\u + 6 . 
Applying Algorithm [5] we obtain maps T and N such that 

iV(o) = alu 4 + a 2 a 1 r 5 u 3 + (2a|(r| - 4) + of + a 2 a (r^ - 2))u 2 

+ 01(02(7-,? - 4) + a )T 5 u + ((r| - 4)(a|(r 5 2 - 4) + a 2 - 2a 2 a ) + a 2 ,), 
N(b) = b\u 2 + 6i6 r 5 w + b 2 (r 2 - 4) + 6 2 , and 
T(6) - r 5 6iw + 26 . 



The endomorphism 77 is then explicitly realized by 77 : P Evaluate(P, T, N), 
using Algorithm 

Remark 16. The weighted projective Igusa invariants of the generic curve are: 

(140 : 550 : 640t 2 - 60 : 22400£ 2 - 77725 : 256t 4 - 2048< 2 + 4096). 

In particular, this family corresponds to a one-dimensional subvariety in the 
moduli space. 

5.3 Hyperelliptic Curves of Genus 3 with Real Multiplication by r/r 

In the case n = 7, we derive a family of curves 

X 7 : v 2 = u 7 - 7u 5 + Uu 3 -7u + t, 

and an endomorphism 77 of Jac(X/) with ZZ[rf\ = ZZ^-j + f^T 1 ] by Proposition [21 
Applying Algorithm^ we derive polynomial maps T and N, which we may then 
use with Algorithm to realize r\ as r\ : P i-> Evaluate(P, T, N). 

6 Applications III: Curves From Elliptic Coverings 

In [Tl| , Mestre constructs a series of two dimensional families of hyperelliptic 
curves with explicit real endomorphisms, which are similarly realized by explicit 
correspondences. For the case 775, Takashima [Hf independently developed an ex- 
plicit algorithm and complexity analysis for two and three dimensional families 3 
referred to as Mestre-Hashimoto and Brumer-Hashimoto (see [Hj). 

6.1 Hyperelliptic Curves of Genus 2 with Real Multiplication by 775 

Let s and t be free parameters, and consider the family of curves defined by 

X 5 : v 2 = f 5 (u) = u 4 (u - s) - s(u + l)(u - s) 3 + s 3 u 3 - tu 2 (u - s) 2 . 

Mestre shows that Jac(As) has an endomorphism 77 satisfying rj 2 + rj — 1 = 0, 
induced by the correspondence Z with affine model 

Z = V(v 2 - vi,u 2 ul + s(s - l)uiu 2 - s 2 (ui - u 2 ) + s 3 ). 

We will derive an explicit form for 77. Since A5 is a curve of genus 2, each point of 
Jac(A5) may be represented by an ideal (a(u) , v — b(u)) with a = a,2U 2 + aiu + ao 
and b = b\u + bo. Setting t\ — —s((s — l)i*2 — s )/ u 2 an( i n i = s 2 { u 2 + we 
apply Algorithm [S[ to derive maps T and N such that 

N(a) = a\n2.2 + a2a\n\.2 + a\n\.\ + a2aoa 2 n ,2 + aiaon ,i + agn ,o, 
N(b) = b\n\.\ + 6160^0,1 + &o n o,o, and 
T(b) = -6is((s - l)u - s)/u 2 + 2b , 

with the riij given in the table below. 

3 The moduli of genus 2 curves with real multiplication by 775 form a two dimensional 
subvariety of the moduli space of genus 2 curves, so this three dimensional family 
contains one dimensional fibres of geometrically isomorphic curves. 
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The endomorphism 77 is then explicitly realized by 77 : P 1— > Evaluate(P, T, N), 
using Algorithm H 



6.2 Hyperelliptic Curves of Genus 3 with Real Multiplication by 777 

Let s and t be free parameters, and consider the family of hyperelliptic genus 3 
curves defined by 

X 7 :v 2 = f 1 {u) = fo{u)-t^ 1 {u) 2 
where ^(u) :— u(u — s 3 + s 2 )(u — s 2 + s) and 

417(11) := ml> 7 (u) 2 + s(s - l)(s 2 - s + l)(s 3 + 2s 2 - 5s + l)u 5 

- s 3 (s ~ l) 2 (6s 4 - lis 3 + 12s 2 - lis - 1)m 4 
+ s 4 (s - l) 3 (s 2 - s - l)(s 3 + 2s 2 + 6s + l)u 3 

- s 6 (s - l) 4 (s + l)(3s 2 - 5s - 3)u 2 

+ s 8 (s - l) 5 (s 2 - 3s - 3)u + s 10 (s - l) 6 . 

Mestre shows that Jac(Xr) has an endomorphism 77 satisfying rj 3 +rj 2 — 2rj — l = 0, 
induced by the correspondence Z = V(v2 — vi,E) on X7 x X7, where 

E = u\u\ - s 2 (s - l)(s 2 - s - \)u x u 2 - s 4 (s - l) 2 (ui + u 2 ) + s 6 (s - l) 3 . 

Since X7 is a curve of genus 3, each point on Jac(A7) may be represented by 
an ideal (a(u),v — b(u)), where a and b are polynomials of degree 3 and 2, 
respectively. Setting 

ti = s 2 (s - l)((s 2 - s - l)u+ s 2 (s - l))/u 2 and 
"1 = -s 4 (s - l) 2 (u + s 2 (s - l))/u 2 , 

we apply Algorithm[5]to derive maps T and N from k[u] into k(u); the elements 
m t j computed by Algorithm are given in the table below. 
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The endomorphism ?/ is then explicitly realized by 77 : P 1— > Evaluate(P, T, N), 
using Algorithm 



7 Construction of Curves of Cryptographic Proportions 



The curves presented here not only admit efficiently computable cndomorphisms, 
they also permit random selection of curve parameters in a large family. For 
example, let F537 = F 5 [£] be extension of F 5 such that £ 37 + 4£ 2 + 3£ + 3 = 0, 
and take 

t = 3£ 5 + + 3£ 3 + £ 2 + 2£ + 3. 

This gives a curve X : v 2 — u(u 2 — 1 ) 2 + t in the Artin-Schreier family whose 
Jacobian has nearly prime group order 

|JacpO(F 5 [£])|=5-n, 

with prime cofactor 

n = 1058791184067701689674637025340531565456011790341311. 

Such curves are amenable to efficient point counting techniques using Monsky- 
Washnitzer cohomology |7I9| . If y is a square root of t, then (0, y) is a point 
on X; let P = [(u,v — y)\ be the corresponding point on J. Then Q = [5](P) 
generates a cyclic group of order n, on which [77] satisfies 

([%] 2 + [%]-i)(Q) = [(!)] 

and in particular, [775] (5P) = [m](5P), where 

to = 336894053941004885519266617028956898972619907667301 

is one of the two roots of x 2 + x — 1 mod n. 

Acknowledgement. The authors thank K. Takashima for providing an advance 
draft of his article ^1, and for references to the work of Hashimoto. 
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